Bug 1368040

Summary: Qemu-kvm coredump in repeating hotplug/hot remove virtio-gpu device
Product: Red Hat Enterprise Linux 7 Reporter: Guo, Zhiyi <zhguo>
Component: qemu-kvm-rhevAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED ERRATA QA Contact: Guo, Zhiyi <zhguo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.3CC: chayang, jinzhao, juzhang, knoel, michen, mrezanin, virt-maint, xfu, zhguo
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-rhev-2.9.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 23:34:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1401400    

Description Guo, Zhiyi 2016-08-18 07:54:58 UTC 
Description of problem:
Qemu-kvm coredump in repeating hotplug/hot remove virtio-gpu device

Version-Release number of selected component (if applicable):
qemu-kvm-rhev package:qemu-kvm-rhev-2.6.0-21.el7.x86_64
host kernel:
3.10.0-489.el7.x86_64

How reproducible:
100% reproduce

Steps to Reproduce:
1.Boot Windows10 guest use qemu cli:
/usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \
        -cpu Haswell-noTSX \
        -smp 6,threads=2,cores=1,sockets=3,maxcpus=6 \
	-device virtio-vga\
	-device virtio-gpu\
        -spice port=5901,disable-ticketing \
        -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
        -serial unix:/tmp/m,server,nowait \
        -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
        -drive file=rhel73.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0,disable-modern=off,disable-legacy=off -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \
        -monitor stdio \
        -usb -device usb-kbd,id=input0 \
        -netdev tap,id=idinWyYp -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \
        -qmp tcp:localhost:4444,server,nowait \
	-device ich9-intel-hda -device hda-duplex \

2.Hot plug a new virtio-gpu into guest via qmp:
{ "execute": "device_add","arguments":{"driver":"virtio-gpu","id":"gpu1"}}
3.Hot remove this this virtio-gpu from guest:
{ "execute": "device_del","arguments":{"id":"gpu1"}}
4.Hot plug virtio-gpu again into guest via qmp:
{ "execute": "device_add","arguments":{"driver":"virtio-gpu","id":"gpu1"}}

Actual results:
qemu-kvm crash with:
(gdb) bt
#0  0x00007f6f329ae1d7 in raise () from /lib64/libc.so.6
#1  0x00007f6f329af8c8 in abort () from /lib64/libc.so.6
#2  0x00007f6f329a7146 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007f6f329a71f2 in __assert_fail () from /lib64/libc.so.6
#4  0x00007f6f3e6e706d in vmstate_register_with_alias_id (dev=<optimized out>, 
    instance_id=<optimized out>, 
    vmsd=0x7f6f3ece1ba0 <vmstate_virtio_gpu_unmigratable>, opaque=0x7f6f43074340, 
    alias_id=<optimized out>, required_for_version=<optimized out>)
    at /usr/src/debug/qemu-2.6.0/migration/savevm.c:622
#5  0x00007f6f3e70c9db in virtio_device_realize (dev=0x7f6f43074340, 
    errp=0x7ffd85b045f0) at /usr/src/debug/qemu-2.6.0/hw/virtio/virtio.c:1877
#6  0x00007f6f3e7e0a56 in device_set_realized (obj=<optimized out>, 
    value=<optimized out>, errp=0x7ffd85b047d0) at hw/core/qdev.c:1076
#7  0x00007f6f3e8b503e in property_set_bool (obj=0x7f6f43074340, v=<optimized out>, 
    name=<optimized out>, opaque=0x7f6f49d81000, errp=0x7ffd85b047d0)
    at qom/object.c:1861
#8  0x00007f6f3e8b8d07 in object_property_set_qobject (obj=0x7f6f43074340, 
    value=<optimized out>, name=0x7f6f3e9b1ead "realized", errp=0x7ffd85b047d0)
    at qom/qom-qobject.c:26
#9  0x00007f6f3e8b6b80 in object_property_set_bool (obj=0x7f6f43074340, 
    value=<optimized out>, name=0x7f6f3e9b1ead "realized", errp=0x7ffd85b047d0)
    at qom/object.c:1158
#10 0x00007f6f3e6f4e6e in virtio_gpu_pci_realize (vpci_dev=0x7f6f4306c000, 
    errp=0x7ffd85b047d0) at /usr/src/debug/qemu-2.6.0/hw/display/virtio-gpu-pci.c:34
#11 0x00007f6f3e867255 in virtio_pci_realize (pci_dev=0x7f6f4306c000, 
    errp=0x7ffd85b047d0) at hw/virtio/virtio-pci.c:1847
#12 0x00007f6f3e831e7c in pci_qdev_realize (qdev=0x7f6f4306c000, errp=0x7ffd85b04860)
    at hw/pci/pci.c:1966
#13 0x00007f6f3e7e0a56 in device_set_realized (obj=<optimized out>, 
    value=<optimized out>, errp=0x7ffd85b04998) at hw/core/qdev.c:1076
#14 0x00007f6f3e8b503e in property_set_bool (obj=0x7f6f4306c000, v=<optimized out>, 
    name=<optimized out>, opaque=0x7f6f49d81180, errp=0x7ffd85b04998)
    at qom/object.c:1861
#15 0x00007f6f3e8b8d07 in object_property_set_qobject (obj=0x7f6f4306c000, 
    value=<optimized out>, name=0x7f6f3e9b1ead "realized", errp=0x7ffd85b04998)
    at qom/qom-qobject.c:26
#16 0x00007f6f3e8b6b80 in object_property_set_bool (obj=0x7f6f4306c000, 
    value=<optimized out>, name=0x7f6f3e9b1ead "realized", errp=0x7ffd85b04998)
---Type <return> to continue, or q <return> to quit---
    at qom/object.c:1158
#17 0x00007f6f3e78f3cc in qdev_device_add (opts=opts@entry=0x7f6f40ff0f50, 
    errp=errp@entry=0x7ffd85b04a70) at qdev-monitor.c:617
#18 0x00007f6f3e78f9b3 in qmp_device_add (qdict=<optimized out>, 
    ret_data=<optimized out>, errp=0x7ffd85b04ad0) at qdev-monitor.c:794
#19 0x00007f6f3e6c2d15 in handle_qmp_command (parser=<optimized out>, 
    tokens=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:3929
#20 0x00007f6f3e9504a8 in json_message_process_token (lexer=0x7f6f40fe9f08, 
    input=0x7f6f40fd9680, type=JSON_RCURLY, x=74, y=5) at qobject/json-streamer.c:105
#21 0x00007f6f3e964f4b in json_lexer_feed_char (lexer=lexer@entry=0x7f6f40fe9f08, 
    ch=125 '}', flush=flush@entry=false) at qobject/json-lexer.c:310
#22 0x00007f6f3e96500e in json_lexer_feed (lexer=0x7f6f40fe9f08, 
    buffer=<optimized out>, size=<optimized out>) at qobject/json-lexer.c:360
#23 0x00007f6f3e950569 in json_message_parser_feed (parser=<optimized out>, 
    buffer=<optimized out>, size=<optimized out>) at qobject/json-streamer.c:124
#24 0x00007f6f3e6c12cb in monitor_qmp_read (opaque=<optimized out>, 
    buf=<optimized out>, size=<optimized out>)
    at /usr/src/debug/qemu-2.6.0/monitor.c:3945
#25 0x00007f6f3e794bd1 in tcp_chr_read (chan=<optimized out>, cond=<optimized out>, 
    opaque=0x7f6f41097e60) at qemu-char.c:2895
#26 0x00007f6f337abd7a in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#27 0x00007f6f3e8c1d70 in glib_pollfds_poll () at main-loop.c:213
#28 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:258
#29 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:506
#30 0x00007f6f3e690d2f in main_loop () at vl.c:1936
#31 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at vl.c:4679


Expected results:
qemu & guest alive

Additional info:
Issue also can be reproduced against rhel7.3 guest with kernel 3.10.0-489.el7.x86_64, hot unplug from rhel guest will trigger "Bug 1368032 - kernel crash after hot remove virtio-gpu device" and re hot unplug will cause qemu crash too
Comment 2 Gerd Hoffmann 2017-01-09 14:08:20 UTC 
https://patchwork.ozlabs.org/patch/712720/
Comment 3 Gerd Hoffmann 2017-03-14 08:31:42 UTC 
upstream commit a2056e09b02745e5d000351a8a7938fa8a292ba7
Comment 5 jingzhao 2017-05-05 08:29:25 UTC 
Reproduce the bz on qemu-kvm-rhev-2.6.0-22.el7.x86_64

Verified the bz on qemu-kvm-rhev-2.9.0-2.el7.x86_64

Following are the detailed

1. Boot guest with qemu cli [1]

2. Hot-plug virtio gpu device throug qmp

{ "execute": "device_add","arguments":{"driver":"virtio-gpu-device","id":"gpu1"}}
{"error": {"class": "GenericError", "desc": "Parameter 'driver' expects pluggable device type"}}

{ "execute": "device_add","arguments":{"driver":"virtio-gpu-pci","id":"gpu1"}}
{"error": {"class": "GenericError", "desc": "Parameter 'driver' expects pluggable device type"}}

[1]
/usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \
        -cpu Haswell-noTSX \
        -smp 6,threads=2,cores=1,sockets=3,maxcpus=6 \
	-device virtio-vga\
	-device virtio-gpu\
        -spice port=5901,disable-ticketing \
        -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
        -serial unix:/tmp/m,server,nowait \
        -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
        -drive file=/home/test/rhel/rhel74.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0,disable-modern=off,disable-legacy=off -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \
        -monitor stdio \
        -usb -device usb-kbd,id=input0 \
        -netdev tap,id=idinWyYp -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \
        -qmp tcp:localhost:4444,server,nowait \
	-device ich9-intel-hda -device hda-duplex \



Thanks
Jing
Comment 6 jingzhao 2017-05-05 08:30:50 UTC 
According to comment5 and comment2, move it to verified
Comment 8 errata-xmlrpc 2017-08-01 23:34:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 9 errata-xmlrpc 2017-08-02 01:12:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 10 errata-xmlrpc 2017-08-02 02:04:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 11 errata-xmlrpc 2017-08-02 02:45:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 12 errata-xmlrpc 2017-08-02 03:09:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 13 errata-xmlrpc 2017-08-02 03:29:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392